Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
15/03/2024, 17:08
General
-
Target
cbf5bdb17cc3feccd573feab9655a7a5.exe
-
Size
187KB
-
MD5
cbf5bdb17cc3feccd573feab9655a7a5
-
SHA1
4c84a7476992912952ffa3f7438f919e4f8fe90b
-
SHA256
cf2cbad1f955dc1576733d0398c8eb6985d940a53237ba1bb0be1ac1f2ad6281
-
SHA512
20330a3601a979e3bf3d018de38b827f2d868e6c8642042cb875a9a0db39849ac255aa324976d2eebf16f7aedc3b843327f32044e78b265a273eb0862eabba88
-
SSDEEP
768:jeTDbPFalhisURRRVpRdNtAEaTtKmxFeMN1sDKZMbai8PK6LM5vjvVXS0gz41qjJ:jeHbPFcW3AEWgm3j1+uq6BN
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Executes dropped EXE 9 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Modifies Internet Explorer settings 1 TTPs 12 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbf5bdb17cc3feccd573feab9655a7a5.exe"C:\Users\Admin\AppData\Local\Temp\cbf5bdb17cc3feccd573feab9655a7a5.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\cbf5bdb17cc3feccd573feab9655a7a52⤵
-
-
C:\ProgramData\application data\Lambda\DirLock.exe"C:\ProgramData\application data\Lambda\DirLock.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lgiu2j-lcij6j-gza6nn-4x2sc0-nlmdeh\2.exeC:\Users\Admin\AppData\Local\Temp\lgiu2j-lcij6j-gza6nn-4x2sc0-nlmdeh\2.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\paa0wb-w0lij4-lnrmsf-gfu0zk-t4r1t7\2.exeC:\Users\Admin\AppData\Local\Temp\paa0wb-w0lij4-lnrmsf-gfu0zk-t4r1t7\2.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6dc8xl-7416ck-3li33o-sezy2z-mbd3z5\2.exeC:\Users\Admin\AppData\Local\Temp\6dc8xl-7416ck-3li33o-sezy2z-mbd3z5\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\9hwbg9-h2w1c1-gywqh1-cloey6-0jgzmi\2.exeC:\Users\Admin\AppData\Local\Temp\9hwbg9-h2w1c1-gywqh1-cloey6-0jgzmi\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\9dduob-byr1d9-io2jz2-7c8n9d-23b1fj\2.exeC:\Users\Admin\AppData\Local\Temp\9dduob-byr1d9-io2jz2-7c8n9d-23b1fj\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\82d395-hh13gw-i8r1uv-o3d96p-cwu451\2.exeC:\Users\Admin\AppData\Local\Temp\82d395-hh13gw-i8r1uv-o3d96p-cwu451\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\t6hvh5-y88kr0-f7em8i-5p90rs-aq7ztn\2.exeC:\Users\Admin\AppData\Local\Temp\t6hvh5-y88kr0-f7em8i-5p90rs-aq7ztn\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4bq9gz-nzauig-yzucr5-5p5udy-ucbyn9\2.exeC:\Users\Admin\AppData\Local\Temp\4bq9gz-nzauig-yzucr5-5p5udy-ucbyn9\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bm0eba-obxf4x-65sqwe-7vhoae-dr4wm8\2.exeC:\Users\Admin\AppData\Local\Temp\bm0eba-obxf4x-65sqwe-7vhoae-dr4wm8\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\so3nsb-d7bh4r-p1k9of-xmkzk7-wilop7\2.exeC:\Users\Admin\AppData\Local\Temp\so3nsb-d7bh4r-p1k9of-xmkzk7-wilop7\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\jvdppm-6t6bez-phpwgg-r2334e-ysekq7\2.exeC:\Users\Admin\AppData\Local\Temp\jvdppm-6t6bez-phpwgg-r2334e-ysekq7\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\lef1an-g6ifhs-tvfgbf-boas2x-cf0phw\2.exeC:\Users\Admin\AppData\Local\Temp\lef1an-g6ifhs-tvfgbf-boas2x-cf0phw\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ybik9g-m4zf8r-g1dk5y-swmbol-0gm2le\2.exeC:\Users\Admin\AppData\Local\Temp\ybik9g-m4zf8r-g1dk5y-swmbol-0gm2le\2.exe3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\vc0qm8-rysd3d-5ieo7z-xl4kt6-z6iri4\2.exeC:\Users\Admin\AppData\Local\Temp\vc0qm8-rysd3d-5ieo7z-xl4kt6-z6iri4\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\asdtmn-0fjxwy-u7mc23-7wjdwq-qqeoo8\2.exeC:\Users\Admin\AppData\Local\Temp\asdtmn-0fjxwy-u7mc23-7wjdwq-qqeoo8\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4tkq7b-ap7zj5-ziouih-j0wntx-vv5fdl\2.exeC:\Users\Admin\AppData\Local\Temp\4tkq7b-ap7zj5-ziouih-j0wntx-vv5fdl\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\jx7f6p-9e2sqz-ef0rst-szm1wf-bn6mxw\2.exeC:\Users\Admin\AppData\Local\Temp\jx7f6p-9e2sqz-ef0rst-szm1wf-bn6mxw\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\knasa4-rdl9wx-h0re68-bsuscd-ohrt60\2.exeC:\Users\Admin\AppData\Local\Temp\knasa4-rdl9wx-h0re68-bsuscd-ohrt60\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\gylleh-gpajth-mkxr5a-1y8bjw-vvmgg2\2.exeC:\Users\Admin\AppData\Local\Temp\gylleh-gpajth-mkxr5a-1y8bjw-vvmgg2\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vt7c83-3e735w-3a8s9w-zx0fq0-mvs1fd\2.exeC:\Users\Admin\AppData\Local\Temp\vt7c83-3e735w-3a8s9w-zx0fq0-mvs1fd\2.exe3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rgbevb-t1plka-0r1263-ztdi04-ulgw79\2.exeC:\Users\Admin\AppData\Local\Temp\rgbevb-t1plka-0r1263-ztdi04-ulgw79\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\pgttt9-7ao4kq-81d2zp-4iuzqt-tabup5\2.exeC:\Users\Admin\AppData\Local\Temp\pgttt9-7ao4kq-81d2zp-4iuzqt-tabup5\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\j51lxz-ml41ww-3ka3df-3gbshf-y33gyj\2.exeC:\Users\Admin\AppData\Local\Temp\j51lxz-ml41ww-3ka3df-3gbshf-y33gyj\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\r9656p-kcw1tw-mxa8hv-tnlq3o-iarudy\2.exeC:\Users\Admin\AppData\Local\Temp\r9656p-kcw1tw-mxa8hv-tnlq3o-iarudy\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\xad4kz-aza5em-tt5h54-tkufk3-zfhnwx\2.exeC:\Users\Admin\AppData\Local\Temp\xad4kz-aza5em-tt5h54-tkufk3-zfhnwx\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\54d3o6-pmlxzm-1huoj9-91uff2-9yv4k2\2.exeC:\Users\Admin\AppData\Local\Temp\54d3o6-pmlxzm-1huoj9-91uff2-9yv4k2\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2m3r6k-pkvcvw-98fxwd-k8zf62-ryaxsv\2.exeC:\Users\Admin\AppData\Local\Temp\2m3r6k-pkvcvw-98fxwd-k8zf62-ryaxsv\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7p0oyt-2g435y-f614zl-xzwfq3-yqld42\2.exeC:\Users\Admin\AppData\Local\Temp\7p0oyt-2g435y-f614zl-xzwfq3-yqld42\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
-
-
-
C:\Windows\lsass.exeC:\Windows\lsass.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wqww7f-wnxkbf-s9o8sj-f7huhw-zv0eic\2.exeC:\Users\Admin\AppData\Local\Temp\wqww7f-wnxkbf-s9o8sj-f7huhw-zv0eic\2.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\rj76lp-y9io7i-oxoshs-ior6ny-vdp7hl\2.exeC:\Users\Admin\AppData\Local\Temp\rj76lp-y9io7i-oxoshs-ior6ny-vdp7hl\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\okq7hn-pbg5vm-mrw2mq-akdxm1-4hs2i8\2.exeC:\Users\Admin\AppData\Local\Temp\okq7hn-pbg5vm-mrw2mq-akdxm1-4hs2i8\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6jbcdc-e4b395-e0bsd5-9m3gu9-xkw1jm\2.exeC:\Users\Admin\AppData\Local\Temp\6jbcdc-e4b395-e0bsd5-9m3gu9-xkw1jm\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\xho2pe-z229ed-6sdq06-vfju9g-q7m9gm\2.exeC:\Users\Admin\AppData\Local\Temp\xho2pe-z229ed-6sdq06-vfju9g-q7m9gm\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\r57639-zkw6a0-0bl4oz-678c0t-vzp7z5\2.exeC:\Users\Admin\AppData\Local\Temp\r57639-zkw6a0-0bl4oz-678c0t-vzp7z5\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2ahpbk-4qj6ai-mpq8r0-c7klaa-h8ikc5\2.exeC:\Users\Admin\AppData\Local\Temp\2ahpbk-4qj6ai-mpq8r0-c7klaa-h8ikc5\2.exe3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7nvhx8-qbf2yp-2bzk8e-91a2u7-yog63i\2.exeC:\Users\Admin\AppData\Local\Temp\7nvhx8-qbf2yp-2bzk8e-91a2u7-yog63i\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\qiym7q-37wn0d-l1rzsv-mrgx6u-sn35io\2.exeC:\Users\Admin\AppData\Local\Temp\qiym7q-37wn0d-l1rzsv-mrgx6u-sn35io\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\qjmpsz-a2uj4f-mx3an3-uh31kv-ud4qov\2.exeC:\Users\Admin\AppData\Local\Temp\qjmpsz-a2uj4f-mx3an3-uh31kv-ud4qov\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\gc7ikc-3az49o-nyjoa5-ojwwz3-v98dlw\2.exeC:\Users\Admin\AppData\Local\Temp\gc7ikc-3az49o-nyjoa5-ojwwz3-v98dlw\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\8pw8lw-2h0ns1-f6xomo-y0szd6-yqhxs5\2.exeC:\Users\Admin\AppData\Local\Temp\8pw8lw-2h0ns1-f6xomo-y0szd6-yqhxs5\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\mv6lzv-bnngy6-4l2lvc-hfade0-o0a3bs\2.exeC:\Users\Admin\AppData\Local\Temp\mv6lzv-bnngy6-4l2lvc-hfade0-o0a3bs\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4wchwp-zj45dt-d2qfhf-65gb3m-8ruisl\2.exeC:\Users\Admin\AppData\Local\Temp\4wchwp-zj45dt-d2qfhf-65gb3m-8ruisl\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3ivfh8-t51jqj-nx4xxo-0m2yrb-jfx9it\2.exeC:\Users\Admin\AppData\Local\Temp\3ivfh8-t51jqj-nx4xxo-0m2yrb-jfx9it\2.exe3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jdhalx-p94jxr-e1ldw2-ykt78i-ae2zs6\2.exeC:\Users\Admin\AppData\Local\Temp\jdhalx-p94jxr-e1ldw2-ykt78i-ae2zs6\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7f7z0p-xx1ckz-2xzbmu-ghllqg-z556rx\2.exeC:\Users\Admin\AppData\Local\Temp\7f7z0p-xx1ckz-2xzbmu-ghllqg-z556rx\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kubswf-rkmai8-g7sesi-bzvsyo-oottsb\2.exeC:\Users\Admin\AppData\Local\Temp\kubswf-rkmai8-g7sesi-bzvsyo-oottsb\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2uo5ju-3ld3xt-9g0b9n-oubuo9-hsp0kf\2.exeC:\Users\Admin\AppData\Local\Temp\2uo5ju-3ld3xt-9g0b9n-oubuo9-hsp0kf\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp1.exeC:\Windows\system32\winnthlp1.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp15⤵
-
-
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zc1rm-fkcsoe-fgdhsf-a2559j-y1xqyv\2.exeC:\Users\Admin\AppData\Local\Temp\7zc1rm-fkcsoe-fgdhsf-a2559j-y1xqyv\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\74i81s-8pwfpr-ff8xck-ehkc6l-99nrcq\2.exeC:\Users\Admin\AppData\Local\Temp\74i81s-8pwfpr-ff8xck-ehkc6l-99nrcq\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\hyvzdd-zsqa4u-0jf8jt-w0v5ax-lsc099\2.exeC:\Users\Admin\AppData\Local\Temp\hyvzdd-zsqa4u-0jf8jt-w0v5ax-lsc099\2.exe3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\kjky20-mzne1y-4ytgig-3uu5mg-zhms3l\2.exeC:\Users\Admin\AppData\Local\Temp\kjky20-mzne1y-4ytgig-3uu5mg-zhms3l\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kiirhf-cl8n4m-e7musk-lwyced-ak3goo\2.exeC:\Users\Admin\AppData\Local\Temp\kiirhf-cl8n4m-e7musk-lwyced-ak3goo\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\winnthlp25⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\wfrirg-94pjl3-sykudl-sp9srk-ykv03e\2.exeC:\Users\Admin\AppData\Local\Temp\wfrirg-94pjl3-sykudl-sp9srk-ykv03e\2.exe3⤵
-
C:\Windows\SysWOW64\winnthlp2.exeC:\Windows\system32\winnthlp2.exe4⤵
-
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5cbf5bdb17cc3feccd573feab9655a7a5
SHA14c84a7476992912952ffa3f7438f919e4f8fe90b
SHA256cf2cbad1f955dc1576733d0398c8eb6985d940a53237ba1bb0be1ac1f2ad6281
SHA51220330a3601a979e3bf3d018de38b827f2d868e6c8642042cb875a9a0db39849ac255aa324976d2eebf16f7aedc3b843327f32044e78b265a273eb0862eabba88
-
Filesize
31B
MD5b70ed9a5e09ad0e4c2e55df4bbded575
SHA134170a65f8a2d9f2273f69fa4115e46197e1db53
SHA2561b0f2beca8a0a79f689143a712f55f1721fcc3f540e9696d53204cd6db003ba3
SHA512c4a6bdbe44cc414534465b6d128708e337f73bfc23c79dfc877c27e569cabb0ca90b8d04c15cc6edc91abce112df11c164ba37df1f40b1fc70eed69cd0130b17
-
Filesize
31B
MD5c23961df4551bec45cfa91f9b0793cfc
SHA1b3cb3cf9b13184df073b5262e7b3514f49cad29f
SHA2564cdf2dad937a1754b576d6af111d9c9291900e7597607adcb7074b1c58eb04ef
SHA512ac3bdb0aa81e641443ad4c5b8844564e31997a400cddf0bad5a8e35d216691571d3b9179dfe66d91e9f2c0c6cb1beebbc6a5e9c17e17aeaf969e59812ab704b4
-
Filesize
253B
MD5b775a5a4faab19e5c95c75e3461b2725
SHA1744ad2a2d65b0fd4f83cd46ba8097cae27fda264
SHA256826327d415e365d8e8eb6f4ef70b8098e2a54fde194a7bc149b7322fd4d8fc2f
SHA512587efb9c1469df6e08ea0aa9e58b3a70db3a5481fdf4cb225785b5a597443621eaebe678998cabaa3b8c795a4250af7efb1b884826a3bb6f188a6ddd64ecb735
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB